As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run?
A) tar cvf - / | ssh 192.168.45.82 "cat - /images/image.tar"
B) dd if=/dev/mem | scp - 192.168.45.82:/images/image.dd
C) memdump /dev/sda1 | nc 192.168.45.82 3000
D) dd if=/dev/sda | nc 192.168.45.82 3000

Question

As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run?
A) tar cvf - / | ssh 192.168.45.82 "cat - > /images/image.tar"
B) dd if=/dev/mem | scp - 192.168.45.82:/images/image.dd
C) memdump /dev/sda1 | nc 192.168.45.82 3000
D) dd if=/dev/sda | nc 192.168.45.82 3000

Quizplus · Accepted Answer

The command "dd if=/dev/sda | nc 192.168.45.82 3000" is the best choice as it uses 'dd' to create a raw image of the entire system drive and 'nc' (netcat) to transfer it over the network, which is efficient for large data transfers.

As Part of Incident Response, a Technician Is Taking an Image